# rules-save generated by awall
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:address-imap-0 - [0:0]
:address-ldap-0 - [0:0]
:icmp-routing - [0:0]
:limit-https-0 - [0:0]
:limit-ldap-0 - [0:0]
:logdrop-https-0 - [0:0]
-A FORWARD -i eth0 -p tcp --dport 6667 -j LOG --log-level 6
-A FORWARD -i eth0 -p tcp --dport 21 -j LOG --log-level emerg
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0
-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -p tcp --dport 143 -j address-imap-0
-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -p tcp --dport 389 -j address-ldap-0
-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -p udp --dport 389 -j address-ldap-0
-A FORWARD -p 123 -j ACCEPT
-A FORWARD -i ppp0 -m string --string "bar is open" --algo bm -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth0 -o eth4 -j ACCEPT
-A FORWARD -i eth0 -o eth5 -j ACCEPT
-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth4 -o eth0 -j ACCEPT
-A FORWARD -i eth5 -o eth0 -j ACCEPT
-A FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth4 -o eth4 -j ACCEPT
-A FORWARD -i eth4 -o eth5 -j ACCEPT
-A FORWARD -i eth5 -o eth4 -j ACCEPT
-A FORWARD -i eth5 -o eth5 -j ACCEPT
-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -i eth0 -p tcp --dport 6667 -j LOG --log-level 6
-A INPUT -i eth0 -p tcp --dport 21 -j LOG --log-level emerg
-A INPUT -m statistic --mode random --probability 0.2 -j ULOG --ulog-qthreshold 10
-A INPUT -m statistic --mode nth --every 5 --packet 0 -j NFLOG --nflog-prefix "FOO " --nflog-threshold 3
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0
-A INPUT -p 123 -j ACCEPT
-A INPUT -i ppp0 -m string --string "bar is open" --algo bm -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -p 123 -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A OUTPUT -p icmp -j icmp-routing
-A address-imap-0 -d 10.0.0.5 -m conntrack --ctstate DNAT -j ACCEPT
-A address-ldap-0 -d 10.0.0.6 -m conntrack --ctstate DNAT -j limit-ldap-0
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
-A limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --update --hitcount 2 --seconds 1 -j logdrop-https-0
-A limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --set -j ACCEPT
-A limit-ldap-0 -m hashlimit --hashlimit-upto 50/second --hashlimit-burst 50 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-ldap-0 -j ACCEPT
-A limit-ldap-0 -m limit --limit 1/second -j LOG
-A limit-ldap-0 -j DROP
-A logdrop-https-0 -m limit --limit 1/second -j LOG
-A logdrop-https-0 -j DROP
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 2
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 2
-A INPUT -j MARK --set-mark 3
-A OUTPUT -j MARK --set-mark 1
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 3
-A PREROUTING -i eth0 -j MARK --set-mark 1
COMMIT
*nat
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:masquerade - [0:0]
-A INPUT -j SNAT --to-source 10.1.2.3
-A OUTPUT -j REDIRECT
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j SNAT --to-source 10.1.2.3
-A POSTROUTING -m set --match-set awall-masquerade src -j masquerade
-A PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1
-A PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080
-A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033
-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.4
-A PREROUTING -i eth0 -p tcp --dport 143 -d 192.168.0.3 -j DNAT --to-destination 10.0.0.5
-A PREROUTING -i eth0 -p tcp --dport 389 -d 192.168.0.4 -j DNAT --to-destination 10.0.0.6
-A PREROUTING -i eth0 -p udp --dport 389 -d 192.168.0.4 -j DNAT --to-destination 10.0.0.6
-A PREROUTING -i eth0 -j REDIRECT
-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-A masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
COMMIT
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A OUTPUT -j CT --notrack
-A PREROUTING -i eth0 -j CT --notrack
-A PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
COMMIT
